sudo使用
/etc/sudo.conf
/etc/sudoers
/etc/sudoers.d/
/etc/sudo-ldap.conf
/etc/sudoer sudo安全策略配置文件
Defaults requiretty
Defaults !visiblepw
Defaults always_set_home
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
root ALL=(ALL) ALL
#includedir /etc/sudoers.d
环境变量
requiretty # 登录用户允许运行sudo
always_set_home
visiblepw # sudo拒绝未通过密码验证的用户后,是否显示信息
别名
# User alias specificationUser_Alias FULLTIMERS = millert, mikef, dowdyUser_Alias PARTTIMERS = bostley, jwfox, crawlUser_Alias WEBMASTERS = will, wendy, wim
# Runas alias specificationRunas_Alias OP = root, operatorRunas_Alias DB = oracle, sybaseRunas_Alias ADMINGRP = adm, oper
# Host alias specificationHost_Alias SPARC = bigtime, eclipse, moet, anchor :\SGI = grolsch, dandelion, black :\ALPHA = widget, thalamus, foobar :\HPPA = boa, nag, pythonHost_Alias CUNETS = 128.138.0.0/255.255.0.0Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0Host_Alias SERVERS = master, mail, www, nsHost_Alias CDROM = orion, perseus, hercules
# Cmnd alias specificationCmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\/usr/sbin/restore, /usr/sbin/rrestoreCmnd_Alias KILL = /usr/bin/killCmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprmCmnd_Alias SHUTDOWN = /usr/sbin/shutdownCmnd_Alias HALT = /usr/sbin/haltCmnd_Alias REBOOT = /usr/sbin/rebootCmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\/usr/local/bin/tcsh, /usr/bin/rsh,\/usr/local/bin/zshCmnd_Alias SU = /usr/bin/suCmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
访问控制
# User specification, format: User Host = (RunAs) Commandroot ALL = (ALL) ALL%wheel ALL = (ALL) ALL # root用户,wheel组成员允许以任意用户身份在任意主机执行任意命令FULLTIMERS ALL = NOPASSWD: ALL # FULLTIMERS用户别名的成员允许在任意主机执行任意命令,无须密码认证PARTTIMERS ALL = ALL # PARTTIMERS用户别名的成员允许在任意主机执行任意命令,首次需要密码认证bob SPARC = (OP) ALL : SGI = (OP) ALL # ':' 分隔2类主机fred ALL = (DB) NOPASSWD: ALLWEBMASTERS www = (www) ALL, (root) /usr/bin/su www # ',' 分隔2类用户身份operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING, sudoedit /etc/printcap, /usr/oper/bin/
posted on 2014-11-19 10:12 北京涛子 阅读(...) 评论(...) 编辑 收藏